What Does Transport Layer Security (TLS) do?

If you own or are about to start a website for your business, it’s important to think about how to make sure your customers’ data is protected. Unfortunately, data breaches are all too common, even amongst bigger companies, and the result is more than just angry customers and lost profit. No matter the size of your business, if a hacker gets ahold of your clients’ information, your reputation will be seriously compromised, and it will be hard to expunge that mistake. Luckily, one of the biggest steps you can take to secure your website is also the easiest: enabling TLS for your domain.

TLS, or Transport Layer Security, is a method of encrypting the data that a visitor submits on your site and sends to you, or rather, to your server. The way it encrypts data doesn’t necessarily prevent a hacker from intercepting that data, but it does render it unusable for anyone except you.

The benefit of enabling TLS on your site goes beyond just securing your customers’ data. Having a valid and up-to-date certificate also considerably boosts your website’s SEO score on Google, helping you appear higher in search results. Statistics also show that more visitors trust sites with TLS because of the visual cues it provides, such as the padlock symbol on the URL bar. This trust between you and your clients is especially important if you intend to sell anything through your website.

All of this is great news for any website owner, but how does TLS actually work? What does it do that secures your data so effectively? This article delves into the nitty gritty of TLS encryption in explaining the processes that make it safe and secure.

TLS

TLS is an Internet security protocol that encrypts any data that gets transferred between a user and a web server through a website. The encryption and decryption process works through the use of two “keys,” one of them being a “public key” and one being a “private key.” When a website visitor inputs data into a website and sends it out to the server to be processed, the data is sealed (or “signed,” to use the technical term) by the public key. This key is accessible to anyone, hence the moniker “public.” Even you could access the key if you had the desire and were a little technical savvy. Unfortunately, this means that cyber criminals can access the public key as well, which is why the private key exists. The private key is kept inaccessible to individuals like cyber criminals, and is the only way to “unlock” the data. Because a hacker cannot access the private key, even if they manage to intercept a data packet being sent out, or if they have access to the public key, they will still not be able to decrypt your data.

If your website is equipped with TLS, then when a visitor first arrives at your site, their computer and your site server will agree on a new unique set of public and private keys for the session in a process called a “handshake.” These keys are generated by a mathematically-intensive algorithm called asymmetrical cryptography. Because of the complexity of this system, its results are very difficult to reverse-engineer by brute force, and makes these keys impossible for a hacker to reproduce. While this method is far more secure than its alternative—symmetrical cryptography—its complexity also requires significantly more computing power. After this agreement is made, the computer and your server use symmetrical cryptography for the rest of the conversation, all before one byte of information is exchanged.

According to the TLS Protocol, the system aims to improve privacy and data integrity. A connection secured by TLS should be private, authenticated, and reliable. The newest iterations of TLS also can be configured to provide a variety of other significant security measures like forward secrecy.

TLS vs SSL

At this point you may recall another well known security protocol that operates very similarly to TLS: SSL. SSL, or Secure Sockets Layer, is actually the predecessor of TLS. Like most things on the Internet, SSL went through a series of updates throughout its lifetime. The final version of SSL before TLS became the mainstream was SSL 3.0. According to CSO.com, “When the next version of the [SSL] protocol was released in 1999, it was standardized by the Internet Engineering Task Force (IETF) and given a new name: Transport Layer Security, or TLS.” Because of this, it is more accurate to think of TLS as “SSL 4.0” than an entirely new cryptographic protocol. Even according to the TLS Protocol Notes, “the differences between this protocol [TLS] and SSL 3.0 are not dramatic.” That being said, undramatic differences are definitely not the same as unimportant differences.

SSL is still a part of the Internet technology vernacular, though, and so many organizations continue to refer to this security measure as SSL rather than TLS, even if TLS what’s on the table. For example, 101domain’s “SSL/TLS Buyer’s Guide” uses the term TLS only a few times, and always in conjunction with SSL. Don’t be confused though! TLS has been the Internet standard since version 1.0 in 1999, with over 90% of websites today supporting a version of TLS 1.0 or higher.

How to Get a Certificate

Obtaining an SSL/TLS certificate is simple and requires no technical know-how. Some websites boast that they can provide you with a free SSL certificate, but these claims should be taken with a grain of salt. At the most they can only provide the lowest level of certification, and that certificate rarely comes with any guarantees of quality or support. By far the best method to integrate TLS into your website is to purchase a certificate from the registrar you obtained your domain with.